Skip to content
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions docker-compose.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,15 +12,15 @@ services:
context: .
dockerfile: ./Dockerfile
container_name: txio-api
# Secrets (JWT_SECRET, BREVO_API_KEY, GROQ_API_KEYS, ...) come from this
# untracked file. Copy .env.example to backend/api/.env and fill it in.
# The API fails fast if JWT_SECRET is missing or <32 chars (see config.rs).
env_file:
- ./backend/api/.env
Comment on lines +15 to 19

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Check JWT_SECRET validation in config.rs

# Look for JWT_SECRET validation logic
ast-grep --pattern 'if jwt_secret.$$$'

Repository: Kingvic300/txio

Length of output: 41


🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== Locate config.rs =="
fd -t f -e rs "config.rs" . | head -n 20

echo
echo "== Search for jwt_secret / JWT_SECRET =="
rg -n --hidden --no-ignore -S "jwt_secret|JWT_SECRET" backend/api . | head -n 200

echo
echo "== Show likely validation area =="
CONFIG_FILE="$(fd -t f -e rs "config.rs" backend/api . | head -n 1 || true)"
echo "Using config file: ${CONFIG_FILE:-<none found>}"

if [ -n "${CONFIG_FILE:-}" ]; then
  # Print sections likely containing validation / JWT_SECRET
  rg -n -S "jwt_secret|JWT_SECRET|len\\(\\)|length|<\\s*32|\\b32\\b" "$CONFIG_FILE" | head -n 200
  echo
  # Show around first match for context
  MATCH_LINE="$(rg -n -S "jwt_secret|JWT_SECRET" "$CONFIG_FILE" | head -n 1 | cut -d: -f1 || true)"
  if [ -n "${MATCH_LINE:-}" ]; then
    sed -n "$((MATCH_LINE-60)),$((MATCH_LINE+120))p" "$CONFIG_FILE" | nl -ba | head -n 250
  fi
fi

Repository: Kingvic300/txio

Length of output: 4884


🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== Inspect backend/api/src/utils/config.rs (JWT_SECRET validation) =="
nl -ba backend/api/src/utils/config.rs | sed -n '1,140p'

echo
echo "== Search for known/default weak secret patterns =="
rg -n -S --hidden --no-ignore "dev-secret|test-secret|known_weak|weak_secrets|default secret|blocklist|blacklist" backend/api . || true

echo
echo "== Search for JWT_SECRET length / other validation beyond config.rs =="
rg -n -S --hidden --no-ignore "JWT_SECRET|jwt_secret" backend/api/src | head -n 200

Repository: Kingvic300/txio

Length of output: 190


🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== Show backend/api/src/utils/config.rs (first ~120 lines with line numbers) =="
python3 - <<'PY'
from pathlib import Path
p = Path("backend/api/src/utils/config.rs")
lines = p.read_text().splitlines()
for i, line in enumerate(lines[:140], 1):
    print(f"{i:4d}\t{line}")
PY

echo
echo "== Search for weak/default secret blocklist logic in backend/api =="
rg -n -S --hidden --no-ignore "dev-secret|test-secret|known_weak|weak_secrets|weaksecret|blocklist|blacklist|default secret|known.*secret|REJECT.*secret|jwt.*secret.*(block|reject|deny)" backend/api . || true

echo
echo "== Search for JWT_SECRET validation beyond length check =="
rg -n -S --hidden --no-ignore "(JWT_SECRET|jwt_secret).*len\\(\\)|len\\(.*32|<\\s*32|at least 32|must be at least 32|must be set" backend/api/src . || true

echo
echo "== Search for any mention of “dev-secret” / sample secrets across repo =="
rg -n -S --hidden --no-ignore "dev-secret|test-secret|known default|weak secret|rotate|burned" . || true

Repository: Kingvic300/txio

Length of output: 50372


🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== Search for blocklist/weaksecret logic in config/auth area =="
rg -n -S --hidden --no-ignore "known_weak|weak_secrets|blocklist|blacklist|dev-secret|test-secret|default.*JWT_SECRET|JWT_SECRET.*default|reject.*JWT_SECRET|deny.*JWT_SECRET" backend/api/src || true

echo
echo "== Search for the specific example weak secret strings (if present) =="
rg -n -S --hidden --no-ignore "dev-secret-key-at-least-32-chars-long-12345|test-secret-key-at-least-32-chars-long" . || true

echo
echo "== Show JWT_SECRET validation snippet context in config.rs =="
python3 - <<'PY'
from pathlib import Path
p=Path("backend/api/src/utils/config.rs")
lines=p.read_text().splitlines()
for i in range(15,50):
    if i<=len(lines):
        print(f"{i:4d}\t{lines[i-1]}")
PY

Repository: Kingvic300/txio

Length of output: 1211


Reject known/default JWT_SECRET values (not just minimum length).

backend/api/src/utils/config.rs only checks that JWT_SECRET is set and len() >= 32; it does not reject any known/default/weak values. This leaves the PR objective from issue #25 unmet (“additionally reject known/default values”), since well-known placeholder secrets that meet the length threshold would still deploy.

Add an explicit denylist (at least for the documented defaults from backend/api/.env.example / other known dev secrets) or an entropy/format policy that makes weak defaults fail fast, and ensure the team rotates any previously committed/burned secret.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docker-compose.yml` around lines 15 - 19, The JWT_SECRET validation currently
only checks presence and minimum length in backend/api/src/utils/config.rs; add
an explicit denylist check (or an entropy/format check) inside the same
validation path (e.g., in the function that reads/validates JWT_SECRET such as
the config load/validate function) so that known defaults from .env.example (and
other common placeholders) are rejected even if length >= 32; implement by
creating a small denylist set of strings (include documented defaults), perform
the denylist check immediately after the len() check and return an error/exit if
matched, and update any error message to instruct rotation of previously
committed/burned secrets so the team rotates them.

environment:
MONGO_URI: mongodb://mongodb:27017/txio
RUST_LOG: info
JWT_SECRET: dev-secret-key-at-least-32-chars-long-12345
BREVO_API_KEY: dummy-key
PORT: 8000
SUI_CLI_EMAIL: dev@txio.io
ports:
- "8000:8000"
depends_on:
Expand Down
Loading